Page created: 5 Jan 2021
|
Page updated: 8 Feb 2022
When using the PingOne MFA IdP Adapter through the PingFederate authentication API, the following flows are used for multi-factor authentication (MFA) requests. These are initiated in the web browser.
MFA via email

- The user completes first-factor authentication. Completion of first-factor authentication is a prerequisite before progressing to MFA, when using the PingOne MFA IdP Adapter with the PingFederate Authentication API flow.
- The status of
AUTHENTICATION_REQUIRED
is returned in the response to the API client. - The API client invokes the
authenticate
action. - The status of
DEVICE_SELECTION_REQUIRED
is returned with the devices object in the response to the API client. - The API client invokes
selectDevice
action and specifies the device ID of the device to use for multi-factor authentication. - The status of
OTP_REQUIRED
, together with the devices andselectedDeviceRef
object, are returned in the response to the API client. In parallel, the user receives an email containing the OTP for authentication. - After the user has entered the OTP, the API client invokes the
checkOtp
action, submitting the OTP value to PingFederate. - On successful completion of MFA, PingFederate returns the status of
MFA_COMPLETED
to the API client. - The API client invokes the
continueAuthentication
action. The API client must callcontinueAuthentication
in order to progress in the OIDC flow, and to complete it. - PingFederate returns a single sign-on (SSO) ID token and access token to the API client.
MFA via the mobile app

- The user completes first-factor authentication. Completion of first-factor authentication is a prerequisite before progressing to MFA, when using the PingOne MFA IdP Adapter with the PingFederate Authentication API flow.
- The status of
AUTHENTICATION_REQUIRED
is returned in the response to the API client. - The API client invokes the
authenticate
action. - The status of
DEVICE_SELECTION_REQUIRED
is returned with the devices object in the response to the API client. - The API client invokes
selectDevice
action and specifies the device ID of device to use for multi-factor authentication. - The status of
PUSH_CONFIRMATION_WAITING
, together with the devices andselectedDeviceRef
object, are returned in the response to the API client. - The API client invokes the
poll
action, so that PingFederate gets the status of the mobile push. This is repeated until either a successful status is received or a timeout is reached. - One of the following alternative statuses is reached:
MFA_COMPLETED
:- The user receives a push notification and approves the authentication.
- The API client invokes the
continueAuthentication
action. The API client must callcontinueAuthentication
in order to progress in the OIDC flow, and to complete it. - PingFederate returns an access token for SSO, to the API client.
PUSH_CONFIRMATION_TIMED_OUT
:- The device was not reachable.
- There are three options available via the API client:
- Retry by calling
selectDevice
with thedeviceRef
object. - Select a different device by calling
selectDevice
with a differentdeviceRef
object. - Cancel the authentication request by calling
cancelAuthentication
.
- Retry by calling
PUSH_CONFIRMATION_REJECTED
:- The user receives a push notification, but denies it.
- There are three options available via the API client:
- Retry by calling
selectDevice
with thedeviceRef
object. - Select a different device by calling
selectDevice
with a differentdeviceRef
object. - Cancel the authentication request by calling
cancelAuthentication
.
- Retry by calling